SSLHandshakeException:PKIX路径构建失败,无法找到证书链
[英]SSLHandshakeException: PKIX path building failed with Unable to find certificate chain
问题描述
I am trying to Connect SSRS ReportServer with HTTPS Protocol from Java Client it's giving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Unable to find certificate chain But I have added the certificate in Java Keystore, It the keystore the certificate is showing with the defined alias name. 
我正在尝试通过Java Client从HTTPS协议连接SSRS ReportServer和HTTPS协议,从而使javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败:java.security.cert.CertPathBuilderException:无法找到证书链,但是我已经在Java密钥库中添加了证书,使用定义的别名显示了证书所显示的密钥库。 But Same SSRS Request call is working with HTTP Protocol. 但是Same SSSS Request调用正在使用HTTP协议。 Note: We are using a wildcard certificate from Go-Daddy for secure communication 注意:我们使用Go-Daddy的通配符证书进行安全通信
2 个解决方案
解决方案1
0 2019-03-18 12:54:26
When you got your certificate, there should have been a p7b (possibly) included with it. 当您获得证书时,它应该包含一个p7b(可能)。
Essentially, when GoDaddy issues a certificate, they are not issued from the root directly. 本质上,当GoDaddy颁发证书时,它们不是直接从根颁发的。
Most likely you have one issued from an intermediate authority. 您最有可能是由中间机构发行的。
You can get the intermediate certificates at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO 您可以通过https://ssl-ccp.godaddy.com/repository?origin=CALLISTO获得中间证书
The certificate chain needs to be appended to the actual certificate and imported on the server . 证书链需要附加到实际证书中,并导入到服务器上 。
The PEM file containing the cert being imported should look like: 包含要导入的证书的PEM文件应如下所示:
<actual certificate>
<intermediate certificate>
[<intermediate certificate> ...]
After that you shouldn't have a need to do anything else on the client. 之后,您无需在客户端上执行任何其他操作。
EDIT 编辑
After re-reading my answer, I realized there may be a little bit of vagueness with regard to the process. 重新阅读我的答案后,我意识到该过程可能有些含糊。 So in efforts to bring this more full cycle here we go. 因此,在努力使这个更完整的周期在这里,我们走了。
- Generate keypair / self-signed certificate as say PKCS#12 container. 生成密钥对/自签名证书,例如PKCS#12容器。
- Create PKCS#10 certificate signing request to send to GoDaddy of above certificate. 创建PKCS#10证书签名请求,以将上述证书发送到GoDaddy。
- GoDaddy returns signed X.509 Certificate (typically with instructions on how to install it). GoDaddy返回签名的X.509证书(通常包含有关如何安装它的说明)。
- Taking the certificate (assuming PEM format) and concatenate the issuance chain from https://ssl-ccp.godaddy.com/repository?origin=CALLISTO and import that back into the PKCS#12 from step 1. 获取证书(假定为PEM格式),并连接来自https://ssl-ccp.godaddy.com/repository?origin=CALLISTO的颁发链,然后将其从步骤1导入回PKCS#12。
- Assign the PKCS#12 as the TLS certificate store on the SSRS server. 将PKCS#12分配为SSRS服务器上的TLS证书存储。
解决方案2
0 2019-03-18 15:06:26
Can you verify that the certificate is added to 'Java Truststore' and not Keystore (although both have .jks extension). 您是否可以验证证书已添加到“ Java Truststore”而不是Keystore中(尽管两者都具有.jks扩展名)。 Have a look at this https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html 看看这个https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html
Keystore file, keystore.jks, contains the Application Server's certificate, including its private key
Truststore file, cacerts.jks, contains the Application Server's trusted certificates
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.